0PricingLogin
Cyber Security Academy · Lesson

OAuth 2.0 Flows

Authorization grants and tokens.

What OAuth 2.0 Actually Solves

OAuth 2.0 is a delegated authorization framework. It lets a user grant a third-party application limited access to their resources on another service without sharing their password.

  • It is about authorization (what an app may do), not authentication (who the user is).
  • The app receives a scoped access_token, never the user credentials.

Defenders must remember: OAuth alone does not prove identity. Treating an access token as proof of login is a classic mistake addressed by OIDC.

The Four Roles

Every OAuth flow involves four roles. Mapping them correctly is essential for threat modeling.

  • Resource Owner the user who owns the data.
  • Client the app requesting access.
  • Authorization Server (AS) issues tokens after consent.
  • Resource Server (RS) the API holding protected data, validates tokens.

Trust boundaries sit between these roles. A compromised client or a permissive AS undermines the whole chain.

Roles:
  Resource Owner  -> grants consent
  Client          -> requests + uses tokens
  Authorization Server -> issues tokens
  Resource Server -> validates tokens

All lessons in this course

  1. OAuth 2.0 Flows
  2. OpenID Connect (OIDC)
  3. SAML and Federation
  4. Token Attacks and Hardening
← Back to Cyber Security Academy